spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Goal of SPF

2003-12-15 21:38:27
from [Edward Ned Harvey] [Permanent Link] 
Greg and I have come a long way in understanding each other in a couple
emails.  As it turns out, I do not have a misconception of what spf is or
how it works, or how smtp works or anything -- I had a misconception about
what spf *wants* to do.

I *was* under the impression that the goal was to stop spam by means of
sender verification, or at least sender's-domain verification.

But it's clear now that stopping spam is not the goal.  Rather, *reducing*
spam is the goal.

The goal of spf is not sender verification.

I do feel that sender verification is vital to stopping spam -- without
sender verification, we still have no way of tracking down a spammer after a
spam attack.  (Those who immediately say "sasl" here -- read on to the
bottom.)  Granted, the pool of people under suspicion after a spam attack is
smaller using spf than it is without -- the people under suspicion might be
reduced from 6 billion to 1 million, or even a few hundred thousand.

But if we had sender verification, the number of people under suspicion
after a spam attack is reduced to one, maybe a few -- The true user, and the
people who would be able to crack his/her password or whatever authorization
mechanism is in place to identify him/her.

I am willing to concede that spf will reduce spam if widely adopted.  But
that's not good enough for me.  I intend to stop spam.  And I believe that
the sender verification proposal(s) are no more complex than spf, with
greater benefits.

As a side-effect, if a protocol were adopted that provides sender
verification, nobody would be able to spoof anybody's email address, even if
they use the same domain or isp.  (Like it or not, not every domain is going
to use sasl, and you might say "that's the domain's responsibility, not
ours," and you would be right.  But whoever's responsibility it is, it *is*
our *problem.*  I think it's vital you have the ability to protect yourself,
not just assume the sender's domain is protecting you.)  In my opinion,
stopping forgery including same-isp forging or same-domain forging is a good
thing, and spf doesn't have the ability to do that.  But it's already clear
that I'm looking for a different product.

Althesame, I enjoy reading the spf conversations, and occasionally
responding.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: best-guess first approximation to actual SPF records, wayne
Next by Date:  Re: Getting SPF out there, Jon Loeliger
Previous by Thread:  best-guess first approximation to actual SPF records, Meng Weng Wong
Next by Thread:  Re: Goal of SPF, guillaume
Indexes:  [Date] [Thread] [Top] [All Lists]